[Bro] TRW Scan feature suggestion
Thomas, Eric D.
edthoma at sandia.gov
Thu Mar 1 16:05:15 PST 2007
Hello, the honeypot specification for my site is much more complex than can
be expressed as a set of addresses. And unfortunately this is significantly
skewing my TRW scan results.
Might I suggest a small but permanent change to the TRW algorithm: instead
of using a set lookup (the honeypot global) to determine whether a
connection is related to a honeypot, let there be a function variable that
gets set to a function which takes a connection record as input and returns
a boolean. The return value specifies T/F whether the connection is
associated with a honeypot. This function is called in check_TRW_scan
(trw-impl.bro) instead of the set lookup in honeypot.
The default function would do the simple set lookup, as is done now. But it
allows others to create a function that performs more complex operations.
Cheers,
Eric Thomas
Sandia National Laboratories
More information about the Bro
mailing list